DRIVERS-2987 Restrict access to Azure VMs (mongodb-labs#514)

* Remove default network security group rule. Default opens SSH and RDP to internet.
* Create NSG rule with current IP
* Add set-ssh-ip.sh to add current IP. Needed since Azure KMS task group may run scripts across multiple Evergreen hosts.
* Add `-n` to ssh commands. Prevents reading from stdin. Fixes interaction when script is run with Evergreen `shell.exec`. `shell.exec` reads commands from stdin by default.

.evergreen/auth_oidc/azure/run-driver-test.sh

@@ -24,6 +24,9 @@ export AZUREKMS_RESOURCEGROUP=$AZUREOIDC_RESOURCEGROUP
 export AZUREKMS_VMNAME=$AZUREOIDC_VMNAME
 export AZUREKMS_PRIVATEKEYPATH=$SCRIPT_DIR/keyfile
 
+# Permit SSH access from current IP.
+"$DRIVERS_TOOLS"/.evergreen/csfle/azurekms/set-ssh-ip.sh
+
 # Set up the remote driver checkout.
 DRIVER_TARFILE_BASE=$(basename ${AZUREOIDC_DRIVERS_TAR_FILE})
 # shellcheck disable=SC2088

.evergreen/csfle/azurekms/copy-file.sh

@@ -18,6 +18,10 @@ if [ -z "${AZUREKMS_RESOURCEGROUP:-}" ] || \
     exit 1
 fi
 
+# Permit SSH access from current IP.
+SCRIPT_DIR=$(dirname "${BASH_SOURCE[0]}")
+"$SCRIPT_DIR"/set-ssh-ip.sh
+
 echo "Copying file $AZUREKMS_SRC to Virtual Machine $AZUREKMS_DST ... begin"
 IP=$(az vm show --show-details --resource-group "$AZUREKMS_RESOURCEGROUP" --name "$AZUREKMS_VMNAME" --query publicIps -o tsv)
 # Use -o StrictHostKeyChecking=no to skip the prompt for known hosts.

.evergreen/csfle/azurekms/create-vm.sh

@@ -23,6 +23,7 @@ echo "Creating a Virtual Machine ($AZUREKMS_VMNAME) ... begin"
 # Use --nic-delete-option 'Delete' to delete the NIC.
 # Specify a name for the public IP to delete later.
 # Specify a name for the Network Security Group (NSG) to delete later.
+# Use --nsg-rule=NONE to remove default open SSH and RDP ports.
 # Pipe to /dev/null to hide the output. The output includes tenantId.
 az vm create \
     --resource-group "$AZUREKMS_RESOURCEGROUP" \
@@ -36,6 +37,7 @@ az vm create \
     --os-disk-delete-option "Delete" \
     --public-ip-address "$AZUREKMS_VMNAME-PUBLIC-IP" \
     --nsg "$AZUREKMS_VMNAME-NSG" \
+    --nsg-rule "NONE" \
     --assign-identity $AZUREKMS_IDENTITY \
     >/dev/null
 
@@ -45,4 +47,17 @@ else
     SHUTDOWN_TIME=$(date -u -d "$(date) + 1 hours" +"%H%M")
 fi
 az vm auto-shutdown -g $AZUREKMS_RESOURCEGROUP -n $AZUREKMS_VMNAME --time $SHUTDOWN_TIME
+
+EXTERNAL_IP=$(curl -s http://whatismyip.akamai.com/)
+
+# Add a network security group rule to permit SSH from current IP. This rule is updated with the current IP in "set-ssh-ip.sh" to permit SSH from different Evergreen hosts.
+az network nsg rule create \
+    --name "$AZUREKMS_VMNAME-nsg-rule" \
+    --nsg-name "$AZUREKMS_VMNAME-nsg" \
+    --priority 100 \
+    --resource-group "$AZUREKMS_RESOURCEGROUP" \
+    --destination-port-ranges 22 \
+    --description "To allow SSH access" \
+    --source-address-prefixes "$EXTERNAL_IP"
+
 echo "Creating a Virtual Machine ($AZUREKMS_VMNAME) ... end"

.evergreen/csfle/azurekms/run-command.sh

@@ -16,7 +16,11 @@ for VARNAME in "${VARLIST[@]}"; do
   [[ -z "${!VARNAME:-}" ]] && echo "ERROR: $VARNAME not set" && exit 1;
 done
 
+# Permit SSH access from current IP.
+SCRIPT_DIR=$(dirname "${BASH_SOURCE[0]}")
+"$SCRIPT_DIR"/set-ssh-ip.sh
+
 echo "Running '$AZUREKMS_CMD' on Azure Virtual Machine ... begin"
 IP=$(az vm show --show-details --resource-group $AZUREKMS_RESOURCEGROUP --name $AZUREKMS_VMNAME --query publicIps -o tsv)
-ssh -o StrictHostKeyChecking=no azureuser@$IP -i "$AZUREKMS_PRIVATEKEYPATH" "$AZUREKMS_CMD"
+ssh -n -o StrictHostKeyChecking=no azureuser@$IP -i "$AZUREKMS_PRIVATEKEYPATH" "$AZUREKMS_CMD"
 echo "Running '$AZUREKMS_CMD' on Azure Virtual Machine ... end"

.evergreen/csfle/azurekms/set-ssh-ip.sh

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+# set-ssh-ip.sh adds the current IP to an already-created VM.
+
+set -o errexit
+set -o pipefail
+set -o nounset
+
+# Get DRIVERS_TOOLS path.
+SCRIPT_DIR=$(dirname "${BASH_SOURCE[0]}")
+. "$SCRIPT_DIR"/../../handle-paths.sh
+
+VARLIST=(
+    AZUREKMS_RESOURCEGROUP
+    AZUREKMS_VMNAME
+    AZUREKMS_PRIVATEKEYPATH
+)
+
+# Ensure that all variables required to run the test are set, otherwise throw
+# an error.
+for VARNAME in "${VARLIST[@]}"; do
+  [[ -z "${!VARNAME:-}" ]] && echo "ERROR: $VARNAME not set" && exit 1;
+done
+
+EXTERNAL_IP=$(curl -s http://whatismyip.akamai.com/)
+
+echo "Adding current IP ($EXTERNAL_IP) to Azure Virtual Machine ... begin"
+az network nsg rule update \
+    --name "$AZUREKMS_VMNAME-nsg-rule" \
+    --nsg-name "$AZUREKMS_VMNAME-nsg" \
+    --resource-group "$AZUREKMS_RESOURCEGROUP" \
+    --source-address-prefixes "$EXTERNAL_IP" > /dev/null
+
+IP=$(az vm show --show-details --resource-group "$AZUREKMS_RESOURCEGROUP" --name "$AZUREKMS_VMNAME" --query publicIps -o tsv)
+
+"$DRIVERS_TOOLS/.evergreen/retry-with-backoff.sh" ssh -n -o ConnectTimeout=10 -o StrictHostKeyChecking=no azureuser@"$IP" -i "$AZUREKMS_PRIVATEKEYPATH" "echo 'hi' > /dev/null"
+
+echo "Adding current IP ($EXTERNAL_IP) to Azure Virtual Machine ... end"